Discovery API Icon
Discovery API
Security Advisory Icon
Security Advisory
Alpaquita LinuxStreamHow To
OSV-Scanner quick start guide
Download this page as PDF

Alpaquita Linux: OSV-Scanner quick start guide

The document provides some instructions on how to scan the Alpaquita Linux packages.

1. Introduction

OSV-Scanner is a security tool for scanning software images and getting security vulnerabilities list for a given image. The OSV tool and its documentation is available at the OSV-Scanner website. In most cases using OSV-Scanner with BellSoft Hardened Containers and Alpaquita Linux is similar to using it with any other Linux OS or application image in the supported format.

2. OSV database

OSV-Scanner is specifically created to employ the OSV database data. OSV database is a vulnerability database available online. You can view available vulnerability information for BellSoft Hardened Containers or Alpaquita products using your web browser.

3. Using OSV-Scanner

To use the OSV-Scanner, install it either by means of your OS or manually as follows:

  1. Download the binaries from https://github.com/google/osv-scanner/releases

  2. Run the following command to install it in Alpaquita Linux: apk add osv-scanner

OSV-Scanner can scan and analyze images with software inside, such as OS or application images.

Note:
 There are other OSV-Scanner modes, but they are unrelated to this guide and out of its scope.

The supported image format is Docker image. OSV-Scanner also supports scanning the Docker export type archives. For more information, consult the official documentation on how to use it if necessary. To use Docker format images, install Docker in the same OS (apk add docker in Alpaquita Linux).

OSV-Scanner processes local docker images. In case you specify an image that is not available locally, the scanner tries to pull the image from the network (for example, Docker Hub) according to Docker settings.

Basic scan

The following command scans the bellsoft/alpaquita-linux-go:1.25.0-glibc image for available vulnerabilities.

$ osv-scanner scan image bellsoft/alpaquita-linux-go:1.25.0-glibc
Checking if docker image ("bellsoft/alpaquita-linux-go:1.25.0-glibc") exists locally...
Saving docker image ("bellsoft/alpaquita-linux-go:1.25.0-glibc") to temporary file...
Invalid history entries found in image, layer metadata may not be populated: %!v(MISSING)
Scanning image "bellsoft/alpaquita-linux-go:1.25.0-glibc"
Starting filesystem walk for root:
End status: 1199 dirs visited, 10714 inodes visited, 607 Extract calls, 51.771545ms elapsed, 51.771786ms wall time
Starting filesystem walk for root:
End status: 0 dirs visited, 1 inodes visited, 1 Extract calls, 246.701µs elapsed, 246.87µs wall time

Container Scanning Result (BellSoft Alpaquita Linux Stream (glibc)):
Total 3 packages affected by 16 known vulnerabilities (0 Critical, 1 High, 3 Medium, 2 Low, 10 Unknown) from 1 ecosystem.
16 vulnerabilities can be fixed.

Alpaquita:stream
╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Source:os:var/lib/apk/db/installed                                                                              │
├──────────────┬─────────────────┬──────────────┬──────────┬───────────────────────┬────────────────┬─────────────┤
│SOURCE PACKAGE│INSTALLED VERSION│FIX AVAILABLE │VULN COUNT│BINARY PACKAGES (COUNT)│INTRODUCED LAYER│IN BASE IMAGE│
├──────────────┼─────────────────┼──────────────┼──────────┼───────────────────────┼────────────────┼─────────────┤
│ go           │ 1.25.0-r0       │Fix Available │       11 │ go, go-doc            │ # 1 Layer      │ --          │
│ openssh      │ 10.0_p1-r8      │Fix Available │        2 │openssh-client-commo(3)# 1 Layer      │ --          │
│ openssl      │ 3.5.2-r0        │Fix Available │        3 │ libcrypto3, libssl3   │ # 0 Layer      │ --          │
╰──────────────┴─────────────────┴──────────────┴──────────┴───────────────────────┴────────────────┴─────────────╯

For the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve <image_name>`.
You can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical <image_name>`.

The above result shows that the (quite old) image bellsoft/alpaquita-linux-go:1.25.0-glibc has 16 vulnerabilities that are already fixed in Alpaquita Linux Stream.

Advanced scanner options

Running OSV-Scanner with advanced options may be useful for some use cases. For example, the following command produces a well-formatted HTML file with some more useful information.

osv-scanner scan image -f html --output /tmp/osvs-report.html bellsoft/alpaquita-linux-go:1.25.0-glibc
Figure 1. OSV-scan report in HTML format

The next command produces a very detailed JSON file containing elaborate information on vulnerabilities.

osv-scanner scan image --all-packages -f json --output /tmp/osvs-report.json bellsoft/alpaquita-linux-go:1.25.0-glibc

You can find a lot of useful information by examining the report in JSON file:

  "image_metadata": {
    "os": "BellSoft Alpaquita Linux Stream (glibc)",
  ...
  }

image_metadata section contains detailed information that helps you clearly identify which image was scanned including all (Docker) layers information.

  "results": [
    {
      "source": { ... }
    }
  ]

The results section contains all scan results, such as the OS and the language modules/libraries (Go, Pyhton, etc.) found in the image.

  "results": [
    ...
    {
      "source": {
        "path": "var/lib/apk/db/installed",
        "type": "os"
      },
      "packages": [
      ...
      ]
    }
  ]

This part of the results section shows information specific to BellSoft Operating Systems.

Another useful scanner option is --all-packages as in the following example:

osv-scanner scan image --all-packages -f json --output /tmp/osvs-report.json bellsoft/alpaquita-linux-go:1.25.0-glibc

This option adds information about all packages to the report, even those that have no known vulnerabilities. This report contains data about the installed OS packages, their versions, and some more information.

Report formats

As described above, the OSV-Scanner can show the results directly in the console and create reports in different formats, such as HTML and JSON. The following output formats are currently supported:

  1. table (console output)

  2. html

  3. vertical (console output)

  4. json 5

  5. markdown

  6. sarif

  7. gh-annotations

  8. cyclonedx-1-4

  9. cyclonedx-1-5

  10. spdx-2-3

4. Other functions

SBOM

One additional function of OSV-Scanner is producing SBOM data for an image: either in the JSON (own) format or in industry-standard SPDX or CycloneDX formats.

5. FAQ

  1. I don’t have Docker to manipulate images. Can I still use OSV-Scanner?

    A: Yes. Export the image you want to scan to another computer or VM to create an archive. Scanning the archive does not require Docker installed. Also, there are other modes of OSV-Scanner that do not require Docker.

  2. Can I use the scanner in the "offline" mode?

    A: Yes. Use the following options:

    • --offline - disables any features requiring network access.

    • --download-offline-databases - downloads a copy of the OSV database.

    • --offline-vulnerabilities - uses the locally stored OSV database.

ON THIS PAGE